Re: [Freeipa-users] SSH login to client
On Thu, Jun 09, 2016 at 08:43:57AM -0400, Pavel Picka wrote: > > > - Original Message - > From: "David Kupka" > To: "Pavel Picka" , freeipa-users@redhat.com > Sent: Thursday, June 9, 2016 1:45:26 PM > Subject: Re: [Freeipa-users] SSH login to client > > On 09/06/16 13:18, Pavel Picka wrote: > > Hi, > > > > Have anyone experience, when create user on ipa-server, and want to login > > on client with this user I get : > > > > Permission denied, please try again. > > Permission denied, please try again. > > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). > > > > (with kinit [1st time change] was password changed to new one) > > even with another change with ipa user-mod --password I am getting same > > result > > > > and on client in /var/log/messages found : > > > > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check > > failed > > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check > > failed > > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check > > failed > > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check > > failed > > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check > > failed > > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check > > failed > > > > > > > > -- > > Pavel Picka > > > Hi Pavel! > > I have few questions that may help locating the issue: > > Are you able to kinit as the user on server and client? > - kinit is ok on both > Are you able to ssh to the client as the admin? > - no I am not able to use 'admin' to ssh to client > What is the output of "id user" on client? > [root@rhel04 ~]# id tuser > uid=41821(tuser) gid=41821(tuser) groups=41821(tuser) > > > I have noticed I am able ssh when 'kinit user' is active > > For detailed logs here is ssh -vvv > > http://pastebin.test.redhat.com/382140 This makes sense, GSSAPI authentication would be used in this case and SSSD is not involved in the authentication at all. But your paste ends with 'Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).' Are you sure you pasted the right test? > > @Sumit > > I found /var/log/sssd/krb5_child.log empty, but didn't set log level to 10, > is it done by krb5.conf or else? Please add 'debug_level=10' to the [domain/] section of /etc/sssd/sssd.conf. bye, Sumit > > -- > David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH login to client
On (09/06/16 08:43), Pavel Picka wrote: > > >- Original Message - >From: "David Kupka" >To: "Pavel Picka" , freeipa-users@redhat.com >Sent: Thursday, June 9, 2016 1:45:26 PM >Subject: Re: [Freeipa-users] SSH login to client > >On 09/06/16 13:18, Pavel Picka wrote: >> Hi, >> >> Have anyone experience, when create user on ipa-server, and want to login on >> client with this user I get : >> >> Permission denied, please try again. >> Permission denied, please try again. >> Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). >> >> (with kinit [1st time change] was password changed to new one) >> even with another change with ipa user-mod --password I am getting same >> result >> >> and on client in /var/log/messages found : >> >> Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check >> failed >> Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check >> failed >> Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check >> failed >> Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check >> failed >> Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check >> failed >> Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check >> failed >> >> >> >> -- >> Pavel Picka >> >Hi Pavel! > >I have few questions that may help locating the issue: > >Are you able to kinit as the user on server and client? >- kinit is ok on both >Are you able to ssh to the client as the admin? >- no I am not able to use 'admin' to ssh to client >What is the output of "id user" on client? >[root@rhel04 ~]# id tuser >uid=41821(tuser) gid=41821(tuser) groups=41821(tuser) > > >I have noticed I am able ssh when 'kinit user' is active > >For detailed logs here is ssh -vvv > >http://pastebin.test.redhat.com/382140 > >@Sumit > >I found /var/log/sssd/krb5_child.log empty, but didn't set log level to 10, is >it done by krb5.conf or else? /ets/sssd/sssd.conf and domian section. You might find useful following wiki. https://fedorahosted.org/sssd/wiki/Troubleshooting LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH login to client
- Original Message - From: "David Kupka" To: "Pavel Picka" , freeipa-users@redhat.com Sent: Thursday, June 9, 2016 1:45:26 PM Subject: Re: [Freeipa-users] SSH login to client On 09/06/16 13:18, Pavel Picka wrote: > Hi, > > Have anyone experience, when create user on ipa-server, and want to login on > client with this user I get : > > Permission denied, please try again. > Permission denied, please try again. > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). > > (with kinit [1st time change] was password changed to new one) > even with another change with ipa user-mod --password I am getting same result > > and on client in /var/log/messages found : > > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check > failed > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check > failed > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check > failed > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check > failed > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check > failed > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check > failed > > > > -- > Pavel Picka > Hi Pavel! I have few questions that may help locating the issue: Are you able to kinit as the user on server and client? - kinit is ok on both Are you able to ssh to the client as the admin? - no I am not able to use 'admin' to ssh to client What is the output of "id user" on client? [root@rhel04 ~]# id tuser uid=41821(tuser) gid=41821(tuser) groups=41821(tuser) I have noticed I am able ssh when 'kinit user' is active For detailed logs here is ssh -vvv http://pastebin.test.redhat.com/382140 @Sumit I found /var/log/sssd/krb5_child.log empty, but didn't set log level to 10, is it done by krb5.conf or else? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH login to client
On 09/06/16 13:18, Pavel Picka wrote: Hi, Have anyone experience, when create user on ipa-server, and want to login on client with this user I get : Permission denied, please try again. Permission denied, please try again. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). (with kinit [1st time change] was password changed to new one) even with another change with ipa user-mod --password I am getting same result and on client in /var/log/messages found : Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed -- Pavel Picka Hi Pavel! I have few questions that may help locating the issue: Are you able to kinit as the user on server and client? Are you able to ssh to the client as the admin? What is the output of "id user" on client? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH login to client
On Thu, Jun 09, 2016 at 07:18:19AM -0400, Pavel Picka wrote: > Hi, > > Have anyone experience, when create user on ipa-server, and want to login on > client with this user I get : > > Permission denied, please try again. > Permission denied, please try again. > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). > > (with kinit [1st time change] was password changed to new one) > even with another change with ipa user-mod --password I am getting same result > > and on client in /var/log/messages found : > > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check > failed > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check > failed > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check > failed > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check > failed > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check > failed > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check > failed Can you send the full debug_level=10 content of krb5_child.log for a single attempt (same pid in [sssd[krb5_child[]]]. The error might not be related to the user password but e.g. to an old keytab and krb5_child fails to establish the FAST tunnel. bye, Sumit > > > > -- > Pavel Picka > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSH login to client
On Thu, Jun 09, 2016 at 07:18:19AM -0400, Pavel Picka wrote: > Hi, > > Have anyone experience, when create user on ipa-server, and want to login on > client with this user I get : > > Permission denied, please try again. > Permission denied, please try again. > Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). > > (with kinit [1st time change] was password changed to new one) > even with another change with ipa user-mod --password I am getting same result > > and on client in /var/log/messages found : > > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check > failed > Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check > failed > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check > failed > Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check > failed > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check > failed > Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check > failed This normally means wrong password. Does this happen only with the initial expired password or even after you reset the password and kinit? Can you send more verbose krb5_child.log? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] SSH login to client
Hi, Have anyone experience, when create user on ipa-server, and want to login on client with this user I get : Permission denied, please try again. Permission denied, please try again. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). (with kinit [1st time change] was password changed to new one) even with another change with ipa user-mod --password I am getting same result and on client in /var/log/messages found : Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed Jun 9 12:36:02 rhel04 [sssd[krb5_child[4635]]]: Decrypt integrity check failed Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed Jun 9 12:36:05 rhel04 [sssd[krb5_child[4637]]]: Decrypt integrity check failed Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed Jun 9 12:36:28 rhel04 [sssd[krb5_child[4641]]]: Decrypt integrity check failed -- Pavel Picka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project